Installing and Configuring Citrix Storefront 2.5.2 and configure Load Balancing on NetScaler 10.5

In almost every production environment you will implement Citrix Storefront on more than one servers to provide high availability (HA) and for load balancing (LB). In this step-by-step guide I will show you how implement Citrix Storefront 2.5.2 on multiple servers and how to configure the load balancing on a NetScaler 10.5 from beginning to the end.


For this setup you need the following;

  • At least two servers with static IP address for the installation of Citrix Storefront
  • A Citrix NetScaler 10.x up and running with the basic configuration
  • A free IP address for the Load Balance vServer on the NetScaler
  • A DNS record pointing to the free IP address for the vServer
  • A server with the Certification Authority and Certification Authority Web Enrollment roles installed on it

My environment

For this setup I will use the following components;

  • Citrix Storefront server 1 running Win2012R2, IP
  • Citrix Storefront server 2 running Win2012R2, IP
  • Citrix NetScaler 10.5
  • Free IP address for Load Balancing vServer:
  • DNS Record: Storefront (pointing to
  • My internal CA is running on server DC1


It’s a Citrix best practice to configure Storefront with HTTPS to secure the traffic. If you use the newest Citrix Receiver or wants to integrate the Citrix AppController with Storefront it’s even a requirement. To secure the traffic you need a SSL certificate, and in a situation where you implement more than one Storefront servers and will load balance these servers as in this case, all Storefront servers including the NetScaler needs a SSL certificate for the same hostname. Therefore use a generic hostname, for example storefront.domain.lan.

You can generate an SSL certificate for each server or generate one SSL certificate on a server and export it so you can install it on the other servers, both ways will work.

In this case I will create a certificate on the NetScaler and export it so I can install it on the Storefront servers. Keep in mind that you also need to install the internal Root CA on the NetScaler, these steps are also included in this guide.

Step 1 – Create and install a SSL Certificate on the NetScaler

In the following steps I will create and install a SSL Certificate on the NetScaler and I will also install the internal Root CA on the NetScaler.


Login to the Citrix NetScaler web GUI and browse to Traffic ManagementSSL. On the right side click Create RSA Key

Fill in the following information;

Key Filename: storefront.key
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Ok

Click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: storefront.txt
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Scroll to the bottom of the page and fill in the following information;

Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name of  your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: storefront.hobo.lan (replace with your hostname and domain name)
Challenge Password: A password you like
Company Name: Your Company Name

Click OK

To download the request file click on Manage Certificates / Keys / CSRs 

NOTE: If using a version below NetScaler 10.5 build 51.x use another tool for downloading files like WinSCP. There is a bug in version 10.5 build 50.x that adds a error line in every file!

Select the storefront.txt file and click Download

Open a web browser and go to your Certification Authority Web Enrollment page (for example https://dc.hobo.lan/certsrv)

To download the Root CA first, click on Download a CA certificate, certificate chain, or CRL

Select Base 64 and click Download CA certificate

Go back to the main screen and click on Request a certificate

Click on advanced certificate request

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Copy the text from the storefront.txt (request file) into the Saved Request window. Select Web Server as Certificate Template. Click Submit

Select Base 64 encoded and click on Download certificate

Open the Citrix NetScaler console and browse to Traffic ManagementSSLCertificates. Click Install

Fill in a Certification name, for example <domain>-CA. Browse (local) to the Root certificate and click Intall

Click on Install again

Fill in a certificate name, for example storefront.<domain>.lan. Browse (local) to the storefront.cer file and browse (appliance) to the storefront.key file.

Enter the Password and click Install.

Right click the storefront.<domain>.lan certificate and click Link

Select the Root CA certificate and click OK

Browse to Traffic ManagementSSL and click on Export PKCS#12

Fill in a File Name, in this case storefront.pfx, and select the storefront.cer and the storefront.key files. Enter the Export Password and the PEM Passphrase. Click OK

Click on Manage Certificates / Keys / CSRs 

Select the storefront.pfx file and click Download

Copy the storefront.pem file to both Storefront servers.

Step 2 – Install Citrix Storefront 2.5.2 (on both Citrix Storefront servers)

In the next steps I will install Citrix Storefront 2.5.2, this needs to be done on both Storefront servers

Start the Storefront setup. Select I accept the terms of this license agreement and click Next

Click Next

Click Install

Click Finish

When the Storefront console starts (automatically) close it.

Step 3 – Install the SSL certificate on the Storefront servers (on both Citrix Storefront servers)

The next step is to install the SSL certificate on both Storefront servers before starting with the Storefront configuration.

Open the Internet Information Services (IIS) Manager. On the left side select the server. In the middle of the screen dubble click on Server Certificates

Click on Import

Select the storefront.pfx file and fill in the Password. Click OK

On the left side, browse to the Default Web Site, on the right side, click Bindings

Click Add

Select https as type and select the storefront SSL certificate. Click OK

Step 4 – Configuring Citrix Storefront 2.5.2 (on server 1)

In the following steps I will configure only the basic settings in Citrx Storefront (for configuring Citrix Storefront for remote access see my blog about that here). These steps must only apply on the first server.

Open the Citrix Storefront console and click on Create a new deployment

The base url is automatic configured with the HTTPS URL. Click Next

Fill in a Store name and click Next

Click Add to add your Delivery Controllers

Fill in the information of your delivery controller and click OK

Click Next

I will skip Remote Access for now. Click Create

Click Finish

Step 4 – Joining the second Storefront server to the Server group

Once you configured the first Citrix Storefront server you can join the second one. The second Storefront server will receive the complete configuration of the Citrix Storefront Server Group.

To do so, follow these steps;

On the first server, open the Server Group page and click on Add Server

You now see an Authorizing Server and a Authorization code. These info must be entered on the second server when joining.

On  the second server, open the Citrix Storefront console. Click on Join existing server group.

Fill in the information from the first server and click Join

Click OK

After a refresh you will see that the server is synchronized and that all the servers now have the same configuration.

Step 5 – Configure Storefront Load Balancing on the Citrix NetScaler

Now that Citrix Storefront is up and running on two servers it’s time to configure the Load Balancing on the NetScaler. For that, I will create 2 servers, 1 monitor, 1 services group and the Load Balancing vServer.


On the Citrix NetScaler, open the Configuration tab and browse to Traffic Management > Load Balancing > Servers

Click Add

Fill in a Server Name, for example “Citrix Storefront 1”. Select IP Address and fill in the IP Address of the first Citrix Storefront server and click Create

Click on Add again to add the second Storefront server.

Fill in a Server Name, for example “Citrix Storefront 2”. Select IP Address and fill in the IP Address of the second Citrix Storefront and click Create


Browse to Traffic Management > Load BalancingMonitors

Click Add

Fill in a Name, for example “Storefront Monitor” select STOREFRONT as Type.


Browse down to the bottom and enable Secure. Browse back to the top.

Open the Special Parameters tab. Fill in the Storefront Store Name and click Create

Browse to Traffic Management > Service Groups. Click Add

Enter a Name, for example Storefront Group. Select SSL as Protocol and click Continue

Click Settings


Click on the Settings edit button

Enable Client IP and enter the following Header: X-Forwarded-For. Click Save.

Click on Members

Click on the arrow on the right side of the Service Group Members


Click Add

Select Server Based and select the first Citrix Storefront server. Configure 443 as port and click Save

Click Add again

Select Server Based and select the second Citrix Storefront server. Configure 443 as port and click Save

Click Close

Click on Monitors

Click on the arrow on the right side of the Members

Click Add

Select the Storefront Monitor and click Insert

Click Save

Click Done

The Storefront Services Group is now created, if everything is correct the Effective state is UP

Browse to Traffice Management > Virtual Servers and click Add

Fill in a Name, for example Storefront LB. Configure SSL as Protocol. Select IP Address Type, IP Address and enter an available (free) IP Address for the Storefront Load Balancing vServer.

Set the port to 443 and click Continue

Click Continue

Click on Services Group

Click on the arrow on the right side of the Services Group

Click Bind

Select the Storefront Group and click Insert

Click Save

Click on Persistence

Select SOURCEIP as Persistence and set the Time-out (mins) at 20. Click Save

Click SSL Certificate

Click on the arrow on the right side of Certificates, Server Certificates

Click Bind

Select the storefront.domain.lan and click Insert

Click Save

Click on the arrow on the right side of Certificates, CA Certificates

Click Bind

Select the internal Root CA and click Insert

Click Save

Click Done


The final step is to test the configuration. For that I have changed the backgrounds of the Citrix Storefront servers. Citrix Storefront 1 will be the one with the red background, Citrix Storefront 2 will be the one with the blue background.

For this test I will browse to my Storefront Load Balancing address: https://storefront.hobo.lan/Citrix/HoboWeb

As you can see I’m landing on the first Citrix Storefront server.

To test the load balancing I turned off Citrix Storefront server 1. When looking at the Server Group Members, you can see that the first Citrix Storefront has the Down Service State.

When reloading the Storefront page I’m now landing on the second Citrix Storefront server, as you can see with the blue background. So, Load Balancing is working fine!


Storefront Services Group down state

If using NetScaler 10.5 50.9 and NetScaler 10.5 50.10 there is a problem with the Storefront Monitor over SSL. This problem is fixed in NetScaler 10.5 51.10.

If upgrading to this version is not an option, there is a workaround for it, see for more information this topic


  • hello. thanks for your great article. i tried this at our demo lab, but i get always “cannot complete your request” when i Launch the storefront site over the loadbalancer ip. if i try it direct on one of the 2 storefront Servers, i can Login with no Problem.

    i see the following error in german in the eventlog.

    Ein Fehler ist aufgetreten bei einer Ressourcenlistenanforderung.
    System.InvalidOperationException, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Fehler im XML-Dokument (0,0).
    bei Citrix.DeliveryServicesClients.Resources.ResourcesClient.TryGetChallenge(Exception ex, String serviceUrl)
    bei Citrix.DeliveryServicesClients.Resources.ResourcesClient.GetResources(String serviceUrl, String token, Boolean fullEnumeration, Dictionary`2 extraHeaders, String clientAddress, String clientName, CitrixAuthChallenge& challenge)
    bei Citrix.Web.StoreProxy.Controllers.ResourcesController.GetResources(List`1 resourceDetails)
    bei Citrix.Web.StoreProxy.Controllers.ResourcesController.List(ResourcesRequestParamsDto parameters)

    System.Xml.XmlException, System.Xml, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Das Stammelement ist nicht vorhanden.
    bei System.Xml.XmlTextReaderImpl.ThrowWithoutLineInfo(String res)
    bei System.Xml.XmlTextReaderImpl.ParseDocumentContent()
    bei System.Xml.XmlReader.MoveToContent()
    bei Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderResourcesDto.Read1_resources()

    any ideas?

    Kind regards, sebastian

  • hello Robin, thanks, that worked. it seems that the wizard (integrate with xenapp and xendesktop) brakes the config. if i make the Settings without the wizard, there are no Problems.

    do you have any Information if i want to use netscaler Gateway with the lb created in your article. are there any Special Settings? because you can activate the load balancing tab in the wizard, which is not working.

    my storefront LB is working, but now i want to configure netscaler Gateway (virtual Server) with the LB Storefront.

    Kind regards,


    • hello Robin, me again 🙂

      if i want to load Balance ddc, have you Information about to do that? or is not necessary if you have 2 ddcs in your site and configured it on the vda Agent and under storefront delivery Controllers configuration?

  • hello, any hints on configuring xd-ddc monitor for loadbalancing the ddc? or if the LB with DDC on netscaler is working, can you change the delivery controller on the vda agent to the fqdn of the load balancer ip, configured for LB DDC.


  • Hey!

    maybe someone can help me. I’ll get this error message when trying to import the pfx file:

    There was an error while performing this operation. Details: Cannot find the requested object.

    Could it happen because I used a pem file and not the storefront.cer file? I also linked the certificate with the rootCA.

    • Are you downloading the pfx file from a NetScaler with version 10.5 50.9 / 50.10? In that case there will be an error message on the first line of the file (you can open it with notepad to see if that the case). If so, try to download it with an other tool or upgrade your NetScaler to at least version 10.5 51.10.

  • Dear robin,

    I am in process of configuration of Storefront 2.6 with NS 10.1.

    I have a doubt regarding the certificate.

    Storefront 1 hostname

    Storefront 2 Hostname

    LBVIP in Netscaler Hostname :

    So I need to have 3 different certificate or all the certificate name should be the lb vip name

  • Very good blog!
    I have just one question:

    In a very small deployment (40 users), can I install storefront on the same serversas he delivery controller so I can get away with 2 servers instead of 4?

  • Hi Robin

    Great article. Any problems using 3rd party wIldcard certificate? I’m assuming there should not be a problem.

  • Amazing blog! Can you please write an article about XenDesktop, XenApp and Xenmobile Enterprise integration, outlining how they are fit together, configuration on Netscaler and stuff? There is so little information available for that at the moment, even on Citrix edocs.. there is a lot of confusion going on as to how you can publish XenApp Applications and Windows Desktops using WorxHome…Any help will be really appreciated!

  • Hi Robin,

    Best guide out there!!

    We’re looking to load balance our external and internal storefront servers for connection to a XenApp7.6 farm. Do we need 2 instances of NetScaler to do this (one for internal, one for external) with 2 different sets of Storefront servers (again one for external and one for internal)??

    Many Thanks


    • Hi Gary, you can use the same NetScaler to loadbalance more than one group of servers. Next to StoreFront you can also load balance PVS traffic and the XenDesktop controllers for example.

  • HI,

    Robin hobo are u working in fujitsu company.

    I am big fan; when I was learning new versions are having any doubts I will go and see ur blog frist(because I learning myself new technologies or products of citrix based on ur docs )

  • Hi Robin,

    your step-by-step documentations are great. Thanky you for that!
    I have a question concerning the Delivery Controller which you add in the StoreFront configuration during creating the Store. You have added a Server called “citrix.hobo.lan” that sounds to me like a cluster name. Is that true? If yes how did you made the Cluster for Delivery Controller? I find no infos online.

    Thank you!



  • Really helpful guide, thanks. The storefront probe never worked for me so I changed to SSL and it started working.

  • WOW!!! amazing article. Thanks a lot Robin. You are rock star!!!!!!.

    Now i am very clear on CA & Storefront.

  • Great article! Highly detailed and maybe I missed something among all those details.

    Almost everything went smoothly but I hit a wall with the virtual server. For my virtual server, the State and Effective State are both Down.

    Any idea where I could have missed something?


  • Thanks RobinGreat article and tutorial.

    I followed exactly your tutorial and the i implementation went success.
    The biggest issue were Chromebook with HTML5.
    NetScaler Gatway solved the problem for the user who have ChromeBook.

  • I have the same problem Bernard had. My virtual server reports both State and Effective State as Down. What is the enabling SSL Offloading thing?

    Thanks a lot for the guide!

  • Brilliant Guide Robin, really helped me get my head around the netscaler LB.

    One question Both my Service Group and Virtual server have an effective state of Down. Any recommendations on where to start looking?

    • Hi Dean, Thanks. Yes you can start by looking at your monitors. Will the state be UP when using the default TCP monitor for example? Regards, Robin

  • Hi Robin, Great article, as usual 🙂
    When configured like this, I have an issue when i shut down StoreFront server 1, I cannot log on anymore (error 500). When shutting down server 2, everything keeps working.
    This only happens from the netscaler side. internal access to storefront VIP keeps working, no matter which Storefront server is down

  • Hi Robin,

    This article is so amazingly helpful to people fairly new to Netscalers like me. Amazing. It took so many questions away I had about a current setup.

    Keep it up and cheers.

  • Great Article. Thanks for the post. I implemented it the same way here and it works fine.

    Question Robin; if I am renewing my internal /domain certificate ( I meant the one imported on my storefront in .PFX format. Do I need to go through the same process of creating the cert the same way and export and import as .PFX on my storefront server?
    Thanks for your help

  • Hello

    Your step by step user guides are great, Excellent work.

    Can you please post a Netscaler 12 installation, configuration with a StoreFront integration.

    Many Thanks in Advance

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.